Former Uber security chief convicted of covering up data breach | VN-Zoom | Cộng đồng Chia Sẻ Kiến Thức Công Nghệ và Phần Mềm Máy Tính

Former Uber security chief convicted of covering up data breach

Uber’s former head of security has been convicted of covering up a 2016 data breach at the rideshare giant, hiding details from US regulators and paying off a pair of hackers in return for their discretion.


The trial, closely watched in cyber security circles, is believed to be the first criminal prosecution of a company executive over the handling of a data breach. joe sullivan, who left Uber in 2017, was found guilty on Tuesday by a San Francisco jury of obstructing an investigation by the Federal Trade Commission. At the time of the 2016 breach, the regulator had been investigating the car-booking service over a different cyber security lapse that had occurred two years earlier. Jurors also convicted Sullivan of a second count related to having knowledge of, but failing to report, the 2016 breach to the appropriate government authorities. The incident eventually became public in 2017 when Dara Khosrowshahi, who had just taken over as chief executive, disclosed details of the attack.

Joe Sullivan was found guilty of obstructing justice for keeping the breach from the Federal Trade Commission, which had been probing Uber’s privacy protections at the time, and of actively hiding a felony.

The verdict ended a dramatic case that pitted Sullivan, a prominent security expert who was an early prosecutor of cybercrimes for the San Francisco U.S. attorney’s office, against his former government office. In between prosecuting hackers and being prosecuted, Sullivan served as the top security executive at Facebook, Uber and Cloudflare.

Judge William H. Orrick did not set a date for sentencing. Sullivan may appeal if post-trial motions fail to set the verdict aside.
“Mr. Sullivan’s sole focus — in this incident and throughout his distinguished career — has been ensuring the safety of people’s personal data on the internet,” Sullivan attorney David Angeli said after the 12-member jury rendered its unanimous verdict on the fourth day of deliberations.

Even without Sullivan’s job history, the trial would have been closely watched as the first major criminal case brought against a corporate executive over a breach by outsiders.

It also may be one of the last: In the five years since Sullivan was fired, payoffs to extortionists, including those who steal sensitive data, have become so routine that some security firms and insurance companies specialize in handling the transactions.

“Paying out the ransom I think is more common than we’re led to believe. There is an attitude that’s similar to a fender bender,” said Michael Hamilton, founder of security firm Critical Insight.

Uber's former head of security, Joe Sullivan, was found guilty in a federal court Wednesday of concealing a 2016 data breach for more than a year. A jury rejected Sullivan's argument that other Uber executives were aware of the data breach and responsible for it not being publicly disclosed for over a year, according to Bloomberg.

Sullivan was convicted of obstructing justice by keeping the breach hidden from the Federal Trade Commission and actively hiding a felony by authorizing payments to the hacker responsible, according to the Washington Post.
FBI leaders, while officially discouraging the practice, have said they will not pursue the people and companies that pay ransoms if they don’t violate sanctions prohibiting payments to named criminal groups especially close to the Russian government.